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Abstract 

We  use  standard  linear-time  temporal  logic  to  specify  cryptographic  protocols, 
model  the  system  penetrator,  and  specify  correctness  requirements.  The  re¬ 
quirements  are  specified  as  standard  safety  properties,  for  which  standard  proof 
techniques  apply.  In  particular,  we  are  able  to  prove  that  the  system  penetrator 
cannot  obtain  a  session  key  by  any  logical  or  algebraic  techniques.  We  compare 
our  work  to  Meadows’  method.  We  argue  that  using  standard  temporal  logic 
provides  greater  flexibility  and  generality,  firmer  foundations,  easier  integration 
with  other  formal  methods,  and  greater  confidence  in  the  verification  results. 


1  Introduction 

We  have  started  work  on  a  project  to  apply  temporal  logic  to  reason  about 
cryptographic  protocols.  Some  of  the  goals  of  the  project  are  as  follows. 

1.  Allow  the  user  to  state  and  prove  that  the  penetrator  cannot  use  logical 
or  algebraic  techniques  (e.g.,  we  are  disregarding  probabilistic  attacks)  to 
obtain  certain  words  (e.g.,  session  keys).  Although  this  is  a  vital  correct¬ 
ness  condition  for  cryptographic  protocols,  as  far  as  we  know,  Meadows’ 
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method  ([Mea92])  is  the  only  approach  that  has  successfully  proved  such 
statements.  This  is  surprising  in  light  of  the  large  number  of  papers  writ¬ 
ten  about  formal  analysis  of  cryptographic  protocols. 

2.  As  far  as  possible,  we  will  employ  the  standard  concepts  and  techniques 
used  in  verifying  the  correctness  of  distributed  systems.  In  the  large  num¬ 
ber  of  papers  on  cryptographic  protocol  analysis,  there  is  a  general  ten¬ 
dency  to  introduce  new  logics  with  many  special-purpose  axioms.  (One 
exception  is  the  work  of  Bieber,  et.  al.  [BBCLvW93];  however,  that  work 
does  not  address  our  first  goal.)  Based  on  our  work  so  far,  we  see  no 
reason  to  introduce  any  new  axioms.  We  plan  to  use  only  existing  logics. 

In  this  paper,  we  provide  a  rough  idea  of  our  approach,  describe  the  progress 
to  date,  and  outline  what  we  believe  will  be  the  primary  advantages  of  our 
approach.  Since  the  approach  of  Meadows  and  Syverson  (see  [Mea92],  [SM93], 
and  [SM94])  is  most  closely  related  to  our  work,  at  various  places  throughout 
the  paper  we  make  comparisons  between  ours  and  theirs. 


2  Model 

An  important  step  in  any  security  analysis  is  to  set  out  the  threats  and  capabil¬ 
ities  of  the  penetrators  that  are  being  countered.  That  is,  we  need  to  establish 
the  precise  objectives  of  the  penetrator  (i.e. ,  the  threats  that  are  of  concern) 
and  the  capabilities  that  the  penetrator  can  use  to  accomplish  those  objectives. 
These  objectives  and  capabilities  must  be  expressible  within  the  model  that  is 
used  in  our  security  analysis. 

2.1  Threats 

Roughly  speaking,  we  want  to  reason  about  protocols  that  establish  a  key  for 
use  during  a  session  involving  two  participants — the  initiating  participant,  which 
we’ll  denote  by  A,  and  the  receiving  participant,  which  we’ll  denote  by  B.  Typ¬ 
ically,  there  is  another  legitimate  participant  of  the  protocol — the  key  server, 
which  we’ll  denote  by  S.  The  types  of  threats  that  concern  us  (i.e.,  the  objec¬ 
tives  of  the  penetrator)  are  the  following.  (Later,  we  will  make  these  threats 
precise  in  the  form  of  reguirements  on  the  protocol.) 

1 .  During  the  process  of  distributing  keys  to  the  legitimate  participants,  a  key 
is  accidentally  disclosed  to  the  penetrator  in  addition  to  being  accepted 
as  a  good  key  by  one  of  the  legitimate  participants  (viz,  either  A  or  5); 

2.  A  key  is  accepted  (by  one  of  the  legitimate  participants)  for  a  given  session 
between  partipants  A  and  B  and  then  later  accepted  for  a  different  session, 
perhaps  with  different  participants. 
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3.  One  of  the  legitimate  participants  accepts  a  key  that  was  not  generated 
by  the  key  server  expressly  for  the  present  session; 

4.  B  accepts  a  key  for  a  session  that  is  ostensibly  with  A,  but  in  fact,  was 
not  initiated  by  A. 

2.2  Penetrator  Capabilities 

Roughly  speaking,  we  are  concerned  with  a  penetrator  that  has  complete  control 
over  the  communication  network.  As  such,  we  allow  the  penetrator  to  have  the 
following  capabilities.  The  penetrator  can: 

1.  intercept  all  outgoing  messages; 

2.  modify  any  message  (in  any  way  consistent  with  the  keys  she  posseses; 
e.g.,  the  penetrator  cannot  encrypt  or  decrypt  a  piece  of  data  with  a  key 
that  she  does  not  possess); 

3.  deliver  any  message  (that  she  possesses)  to  any  legitimate  participant; 

4.  start  up  any  number  of  legitimate  participants  (e.g.,  if  it  furthers  her 
objectives,  the  penetrator  could  start  up  multiple  instances  of  a  participant 
acting  as  the  initiator  of  the  protocol.). 

2.3  Justification  of  the  Penetrator’s  Capabilities 

It  may  seem  that  we  are  giving  the  penetrator  too  much  power.  For  example, 
in  the  above,  we  have  given  the  penetrator  complete  control  over  the  network. 
It  is  as  if  every  aspect  of  the  network  (barring  the  relatively  few  “legitimate” 
participants  of  the  protocol,  viz,  A,  B,  and  S )  has  been  subverted  by  the  pene¬ 
trator.  However,  allowing  the  penetrator  to  have  such  control  essentially  gives 
us  a  worst-case  analysis  of  the  security  of  the  protocol.  That  is,  when  rea¬ 
soning  about  security,  we  typically  want  to  know  what  is  the  worst  possible 
situation  that  the  system  can  get  in.  Therefore,  we  have  given  the  penetrator 
the  greatest  possible  capability  short  of  subverting  the  legitimate  participants 
of  the  protocol. 

In  addition  to  these  considerations,  one  of  the  capabilities  described  in  the  pre¬ 
vious  section  merits  some  further  justification.  Namely,  the  capability  to  “start 
up  any  number  of  legitimate  participants”  is  provided  so  that  we  can  reason 
about  arbitrary  interleaving  attacks,  such  as  those  described  in  [DvOW92]. 
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2.4  Definition  of  the  Model 


The  above  threats  and  capabilities  motivate  the  model  we  adopt,  which  was 
originally  formulated  by  Dolev  and  Yao  [DY83]  and  later  substantially  general¬ 
ized  by  Meadows  [Mea92].  In  this  section,  we  set  out  this  model. 

We  start  by  describing  our  general  model  of  distributed  computation,  which  is 
based  on  a  standard  model  from  the  distributed  computing  literature,  namely, 
the  so-called  “interleaving”  model  in  which  all  events — including  concurrent 
events — occurring  during  an  execution  of  the  system  are  interleaved  to  form  a 
single  “trace”  of  that  execution  (see,  e.g.,  [Lam91]).  As  is  standard,  we  will 
consider  a  trace  to  be  an  infinite  sequence  of  system  states.2  The  system  is  then 
characterized  by  its  set  of  possible  traces. 

The  distributed  system  consists  of  a  set  of  agents,  P\,  P2,  ■  ■  ■ ,  Pi,  ■  ■  .,  each  with  a 
local  state,  along  with  a  communication  medium.  A  global  system  state  (i.e. ,  an 
element  of  a  system  trace)  is  composed  of  the  local  state  for  each  agent  together 
with  the  state  of  the  communication  medium. 

Each  agent’s  local  state  is  represented  by  a  set  of  local  state  variables.  We  will 
indicate  that  a  particular  state  variable,  say  x,  is  local  to  a  particular  agent,  say 
Pi,  using  a  dot  notation  similar  to  the  notation  used  for  references  to  Helds  of  a 
record  in  Pascal,  viz,  aPi.xv .  For  example,  each  agent  may  use  a  local  program 
counter  named  pc  to  keep  track  of  its  local  execution  of  the  protocol.  Program 
counters  local  to  different  agents  can  be  distinguished  by  the  dot  notation. 

We  represent  the  communication  medium  as  a  set  of  messages,  p.  We  will  write 
send (Pi,Pj,m)  to  denote  that  agent  Pi  sends  the  message  m  (i.e.,  places  it 
on  the  communication  medium)  addressed  to  Pj .  We  make  this  precise  using 
Lamport’s  Raw  Temporal  Logic  of  Actions  (RTLA)  [Lam91].3 

Recall  that  in  RTLA,  an  action  is  a  statement  about  pairs  of  states.  Unprimed 
state  variables  (e.g.,  p)  refer  to  the  value  in  the  first  state  and  primed  state 
variables  (e.g.,  pr)  refer  to  the  value  in  the  second  state.  We  define  the  send 
action  as  follows. 


send  (Pi ,  Pj ,  m)  p'  =  p  U  {  (Pi ,  Pj ,  m)  } 

Similarly,  we  write  receive ( Pi,  Pj ,  x)  to  denote  that  Pi  blocks  until  there  is  a 
message  on  the  communication  medium  from  Pj  and  then  the  contents  of  that 
message  are  copied  to  P^s  local  state  variable,  x.  We  make  this  precise  using 

2  A  “terminating”  computation  is  modeled  as  an  infinite  trace  that  has  a  finite  prefix 
representing  the  computation  prior  to  “termination” ,  the  final  state  of  which  is  repeated  (or 
“stuttered”)  infinitely  to  form  the  remainder  of  the  trace  [Lam91]. 

3  We  use  Raw  TLA  since  in  the  present  paper  we  are  unconcerned  with  the  issues  of 
refinement. 
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RTLA  as  follows. 


receive  (Pi,  Pj,  x)  (3m)[  (Pj ,  Pi,  m)  £  p  A  (1) 

H  -  {{Pj,Pi,m)}  A 
Pi.x'  =  m  ] 

We  also  allow  agents  to  receive  messages  without  specifying  the  sender.  We 
denote  such  an  action  by  receive  (Pi,  p,  x),  where  p  is  a  state  variable  local  to  P{. 
We  define  this  action  as  follows. 

receive^-,  p,  x)  •<=!>  (3-Pj,  m)[  (Pj,  Pi,m)  £  p  A  (2) 

p'  =  p  -  {(Pj,Pi,m)}  A 
Pi.x'  =  m  A 

Pi-P'  =  Pj] 

Now,  the  capabilities  of  the  penetrator  can  be  expressed  in  terms  of  the  model  as 
follows.  We  will  have  a  designated  agent,  E,  representing  the  penetrator.  Part 
of  the  penetrator’s  local  state  is  a  set  of  “words”  that  she  possesses,  denoted 
if. words.  This  set  of  words  includes  the  messages  that  she  has  received  over  the 
communication  medium  as  well  as  words  the  agent  has  computed  by  performing 
operations  (e.g.,  encryption)  over  the  set  of  words  she  already  possesses. 

E  nondeterministically  performs  some  sequence  of  actions,  chosen  from  the  fol¬ 
lowing  possibilities. 

•  intercept  a  message  and  add  it  to  if. words; 

•  produce  a  new  word  by  performing  some  operation  (e.g.,  encryption) 
on  some  words  that  she  already  possesses  and  add  the  new  word  to 
if. words.  Note  that  if  the  penetrator  already  possesses  some  encrypted 
word  encrypt(m,  k),  she  must  also  possess  the  encryption  key,  k,  in  order 
to  produce  the  clear-text  message,  m. 

•  send  some  word  that  is  in  if. words  to  any  legitimate  participant  (ostensibly 
from  any  other  participant). 

Before  formalizing  these  actions,  we  recall  a  particular  action  that  is  often  useful 
in  RTLA  specifications;  namely,  Unchanged  (a),  where  a  is  a  set  of  state  vari¬ 
ables,  specifies  that  every  variable  in  a  does  not  change.  More  precisely,  we’ll 
use  the  following  definition.4 

Unchanged({vi  ,v2 ,  .  .  .  ,vn})  •<=>•  iq  =  iq  A  v2  =  v'2  A  .  .  .  A  v„  =  v'n 

For  convenience  in  specifying  the  set  of  variables  that  do  not  change,  let  a  be  the 
set  of  all  state  variables,  including  all  agents’  local  state  and  the  communication 
medium.  We  define  the  action  of  the  penetrator  intercepting  a  message  by 

4This  definition  of  Unchanged  (o)  is  actually  a  special  case  of  Lamport’s  definition,  but  it 
is  sufficient  for  our  purposes. 
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intercept  -<=>•  (3-Pi,  Pj,  m)[  (Pi,  Pj ,  m)  G  H  A 

P'  =  A  -  {  (Pi,Pj,™)  }  A 
E. words  =  E. words  U  {m}  A 
Unchanged(a  —  {n,  E. words})  ] 

The  action  of  the  penetrator  producing  a  new  word  from  other  words  she  already 
possesses  is  defined  as  follows. 

Ml  •<=>•  (3m,  A')[  m  G  A. words  A  K  G  A. words  A 

A. words'  =  A. words  U  {encrypt(m,  A')}] 

A  Unchanged(a  —  {A. words}) 

M 2  •<=>•  (3m,  A')[  m  G  A. words  A  K  G  A. words  A 

A. words'  =  A. words  U  {decrypt(m,  A')}] 

A  Unchanged(a  —  {A. words}) 

M 3  •<=>•  (3m,  K)[  decrypt(encrypt(m,  K),  K)  G  A. words  A 
A. words'  =  A. words  U  {m}] 

A  Unchanged(a  —  {A. words}) 

MA  (3m,  K)[  encrypt(decrypt(m,  K),  K)  G  A. words  A 
A. words'  =  A. words  U  {m}] 

A  Unchanged(a  —  {A. words}) 

manipulate  Ml  V  M2  V  M 3  V  MA 

The  action  of  the  penetrator  sending  a  message  to  one  legitimate  participant 
ostensibly  from  another  legitimate  participant  is  defined  by 

impersonate  (3A8-,  Pj,  m)[  m  G  A. words  A 

send( Pi,  Pj ,  m)  A 

Unchanged(a  —  {//})] 

We  can  now  define  a  penetrator  action  as  consisting  of  one  of  the  above  actions. 

E-action  intercept  V  manipulate  V  impersonate  (3) 

The  capability  of  starting  up  any  number  of  legitimate  participants  will  be 
modeled  by  placing  an  infinite  number  of  initiators  {Ai ,  A^,  ■  ■  •},  an  infinite 
number  of  receivers  {B\,  B 2,  .  .  .},  and  (if  appropriate)  an  infinite  number  of  key 
servers  {Si,  S 2,  •  •  •}  in  parallel  with  the  penetrator,  A.  That  is,  the  Ai,  Bj,  and 
Sk  will  be  among  the  set  of  agents,  P\,  P2,  ■  ■  ■■  Then,  the  penetrator  can  make 
use  of  as  many  of  these  legitimate  participants  as  needed  to  launch  an  attack. 
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2.5  The  Flexibility  of  the  Model 

A  few  comments  on  the  flexibility  of  our  model  of  the  penetrator  are  in  order. 

First,  note  that  the  M 3  and  MA  actions  are  our  formalization  of  the  algebraic 
properties  of  the  encryption  algorithm  used  in  the  protocol.  To  analyze  a  pro¬ 
tocol  that  uses  an  encryption  algorithm  with  different  algebraic  properties,  we 
can  simply  substitute  actions  describing  those  properties  for  M 3  and  MA.  For 
example,  if  a  protocol  uses  the  “exclusive  or”  (®)  operator,  we  might  want  to 
model  the  commutativity  property  of  ®  by  including  the  following  action. 

M 3'  -4=f-  (3wq,  w2)[  ®(wi,  w2)  £  A. words  A 

A. words'  =  A. words  U  {®(wq,  uq)}] 

A  Unchanged  (a  —  {E .words}) 


In  contrast,  making  such  a  change  in  Meadows’  method  would  present  serious 
difficulties.  This  is  because  Meadows  models  the  algebraic  properties  of  the  en¬ 
cryption  algorithm  as  a  Noetherian  and  locally  confluent  term  rewriting  system. 
In  such  systems,  all  terms  have  a  unique  canonical  form — the  so-called  “reduced 
form”.  However,  due  to  commutativity,  ®(uq,  w2)  can  be  rewritten  as  ®(w2,  uq) 
and  then  back  again;  there  is  no  unique  canonical  form.  Accomodating  such  an 
encryption  algorithm  would  require  a  major  change  to  her  tool.  This  is  because 
the  algorithm  at  the  heart  of  her  tool — the  narrowing  algorithm — depends  on 
the  Noetherian  and  locally  confluent  properties.  At  each  step  of  her  analysis, 
all  words  are  rewritten  in  reduced  form. 

Second,  note  that  we  could  easily  insert  additional  penetrator  capabilities  into 
Formula  3.  For  example,  if  we  wanted  to  reason  about  attacks  such  as  the 
Denning-Sacco  attack  on  the  Needham-Schroeder  protocol  [DS81],  we  could 
include  a  “compromise  key”  capability,  which  could  be  used  by  the  penetrator 
to  obtain  previously  used  keys. 

The  possibilities  of  adding  penetrator  capabilities  and  changing  the  underlying 
encryption  algorithm  illustrate  the  flexibility  and  power  of  modelling  the  pene¬ 
trator  in  temporal  logic.  Further,  our  approach  makes  the  model  of  the  pene¬ 
trator  explicit.  As  we  will  see  in  the  next  section,  we  use  the  same  language  to 
specify  the  protocol  being  analyzed  and  the  requirements  being  proven.  Thus, 
all  definitions  and  assumptions  used  in  the  analysis  are  stated  in  a  single  lan¬ 
guage,  rather  than,  e.g.,  being  partly  buried  in  the  definition  of  the  automated 
tool. 
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3  A  First  Example 


As  our  first  example,  we  chose  something  extremely  simple.  Our  motivations 
are  to  provide  a  rough  idea  of  what’s  involved  in  applying  our  approach  and  to 
provide  some  evidence  that  the  approach  is  feasible. 

The  example  we  chose  cannot  even  be  called  a  protocol;  it  is  the  example  used 
by  Meadows  in  [Mea92,  pages  15-16]  to  illustrate  the  use  of  her  method.  In 
Meadows’  formalism,  the  example  consists  of  a  single  rule,  viz, 

If  Y  C  W  and  KEYSTATE(Z)  =  X  then  W  :=  W  U  encrypt(Y,  X) 

where  W  is  the  set  of  words  known  to  the  penetrator,  which  we’ve  called 
A. words. 

The  intuition  behind  this  rule  is  that  the  legitimate  protocol  participant,  Z, 
possesses  a  key,  denoted  KEYSTATE(Z).  Whenever  Z  receives  a  word,  it 
encrypts  that  word  with  KEYSTATE(Z)  and  returns  the  result.  We  can  specify 
this  rule  in  our  approach  as  follows. 

Z1  •<=>•  Z .pc  =1  A 

receive^,  Z.p,  Z.x)  A 

Z.pc'  =  2  A 

Unchanged(a  —  {p,  Z.p,  Z.x,  Z.pc}) 

Z2  Z.pc  =2  A 

send(Y,  Z.p,  encrypt  (Z.x,  KEYSTATE(Z)))  A 

Z.pc'  =  1  A 

Unchanged(a  —  {p,  Z.pc}) 

Z-Imt  •<=>•  Z.pc  =  1  A  Z.x  =  NULL 

We  specify  the  protocol  running  in  parallel  with  the  penetrator  as 

R  •<=>•  Z-Imt  A  p  =  {}  A  E-Imt  A  0}Z  1  V  Z 2  V  E-Action)  (4) 

(where  E-Init  will  be  described  below). 

Our  description  is  clearly  not  as  compact  as  Meadows’.  There  are  two  reasons 
for  this. 

1.  We  have  included  a  program  counter  pc  that  allows  Z  to  keep  track  of  its 
place  in  the  protocol.  In  the  present  example,  it  simply  alternates  between 
receiving  and  sending.  In  Meadows’  formalism,  the  act  of  receiving  a 
message  and  sending  a  reply  is  treated  as  a  single  action  and  so  she  does 
not  need  to  maintain  a  program  counter  for  this  simple  example.  In  more 
complex  examples,  involving  multiple  rules  that  are  performed  in  sequence, 
Meadows’  formalization  would  be  similar  to  ours. 
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2.  We  state  implicitly  which  variables  do  not  change.  In  Meadows’  method, 
if  a  variable  is  not  mentioned,  it  is  assumed  to  remain  unchanged.  We 
could  adopt  this  approach  too.  However,  as  pointed  out  by  Lamport 
[Lam91,  page  59]  this  introduces  an  “inherent  complexity  epitomized  by 
the  observation  that  y '  =  y '  is  not  equivalent  to  true.”  (The  former  allows 
y  to  change,  whereas  the  latter  does  not.) 

For  this  first  example,  we  want  to  prove  that  the  penetrator  cannot  obtain  a 
particular  word,  a.  This  is  easily  formalized  in  temporal  logic  as 

R  — >■  D(a  ^  if. words) 

(where  R  is  the  specification  of  the  protocol).  The  standard  approach  to  proving 
such  a  formula  is  to  prove  that 


a  ^  if. words  (5) 

is  an  invariant  over  the  system  transition  relation.  However,  as  is  typically  the 
case,  this  formula  is  not  strong  enough  to  be  directly  proved  invariant.  Meadows 
describes  why  this  is  the  case  in  terms  of  her  tool  [Mea92,  page  16].  In  terms 
of  temporal  logic,  the  problem  is  as  follows. 

Suppose  we  have  a  state  where  the  penetrator  has  obtained  encrypt(a,  k)  and  k 
for  some  word  k,  but  not  yet  obtained  a.  In  this  state,  Equation  5  is  true.  But,  in 
a  single  transition,  the  penetrator  can  obtain  a  (by  performing  the  decryption) 
and  Equation  5  will  be  true.  Thus,  Equation  5  is  not  a  sufficient  condition  on 
the  pre-state  to  ensure  that  Equation  5  will  hold  in  the  post-state. 

Meadows  solves  this  problem  by  defining  a  formal  language  by  way  of  the  fol¬ 
lowing  context-free  grammer.5 

K  ->■  a 

K  — >■  encrypt(K,  L) 

K  — >■  decrypt(K,  L) 

where  L  is  the  language  consisting  of  all  words  not  containing  variables.  Mead¬ 
ows  then  proves  that 

The  penetrator  does  not  possess  any  word  in  K. 

is  invariant.  The  technique  she  uses  to  prove  this  is  rather  complicated  and  only 
partly  formalized.  It  involves  transforming  the  grammer  rules  into  prolog  goals, 
running  her  automated  tool  on  them,  and  then  interpreting  the  results  again  in 
terms  of  the  context-free  grammer. 

5  We’ve  made  a  few  minor  syntactic  changes  to  Meadows’  grammer  to  bring  it  in  line  with 
our  notation. 
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In  contrast,  we  can  formalize  the  entire  proof  in  terms  of  temporal  logic.  First, 
we  specify  the  set  of  words  K  as  follows. 

(Vir)w  E  K  •<=>•  (  w  =  a  V  (6) 

(3k,  l)[w  =  encrypt(fc,  /)  A  k  E  K]  V 
(3k,  l)[w  =  decrypt(fc,  /)  A  k  E  K] 

) 

Since  we  explicitly  include  the  communication  medium  fi  and  the  participant’s 
local  variable  Z.x  in  our  model,  we  cannot  simply  use 

(\/w)[w  (jz  if. words  Vu^K] 

as  our  invariant.  In  particular,  if  a  word  in  K  is  present  on  the  communication 
medium  fi  or  in  the  variable  Z.x  (when  Z’s  program  counter  is  2),  then  it  can 
be  obtained  by  the  penetrator.  Therefore,  we  use  the  following  formula  as  our 
invariant. 


INV  -<=>-  (  (Z.x  £  K  V  Z.pc  yf  2)  A  (7) 

(Vui)[w  ^  if. words  Vu^K]  A 

(VPi,  P2,  w)[(PltP2,  w)  <£  p  V  w  <£  K] 

) 

Now  we  can  see  what  is  needed  as  the  penetrator’s  initial  condition,  namely, 
we  need  an  initial  condition  that  is  strong  enough  that  we  will  be  able  to  prove 
INV  is  initially  true.  The  following  is  sufficient. 

E-Init  (Vui)[w  ^  if  .words  Vu^K] 


We  can  now  state  and  prove  our  theorem. 


Theorem  3.1 


R  =>•  D(a  ^  if  .words) 


Proof:  In  overview,  the  proof  goes  like  this.  We  use  induction  to  prove 


R  =>  □(INV) 


(8) 


and  we  show  that 

INV  =>•  a  £  if  .words  (9) 

and  finally,  from  Formulas  8  and  9  we  can  easily  establish  the  theorem. 

Proving  Formulas  8  and  9  are  straightforward,  mainly  requiring  a  lot  of  case 
checking.  To  provide  an  idea  of  what’s  involved,  we  prove  part  of  Formula  8. 
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From  the  definition  of  R  (Formula  4),  we  see  that  it  is  sufficient  to  prove  a  base 
case: 

(Z-Imt  A  p  =  {}  A  E-Imt)  =>  INV  (10) 

and  an  induction  case: 

((Zl  V  Z2V  E- Action)  A  INV)  =>  INV'  (11) 

(where  INV7  is  the  formula  obtained  from  INV  by  replacing  all  program  variables 
with  their  primed  counterparts). 

We  prove  Formula  10  by  assuming  Z-Init,  p  =  {},  E-Imt,  and  -JNV  and  show¬ 
ing  that  these  assumptions  lead  to  a  contradiction.  Applying  some  definitions 
(and  distributing  the  ->  as  far  as  possible),  we  have  the  following  assumptions. 


(al) 

Z.pc  =  1 

(a2) 

Z.x  =  NULL 

(a3) 

A*  =  0 

(a4) 

(\/w)[w  E. words  Vu^K] 

(a5) 

( Z.x  £  K  A  Z .pc  =  2) 

V 

(3w)[jo  £  E. words  A  w  £  K] 

(3Pi,  P2,  w)[(P1,P2,  w)  £  p  A  w  £  K] 

V 

We  break  (a5)  into  three  cases  corresponding  to  the  three  disjuncts. 

Case  1:  Z.x  £  K  A  Z.pc  =  2 

From  (al),  we  immediately  obtain  the  contradiction  2  =  1. 

Case  2:  (3w)[w  £  A. words  A  w  £  K] 

Existentially  instantiating  w  (to  a  constant  u>0),  we  have 

wO  £  A. words  A  wO  £  K 

and  instantiating  w  in  (a4)  to  w 0,  we  obtain  a  contradiction. 

Case  3:  (3P1;  P2,  w)[(Pi,  P2,  w)  £  p  A  w  £  K] 

Existentially  instantiating  Pi,  P2,  and  w  to  constants  and  making  use  of 
(a3),  we  have  (Pi,  P2,w)  £  {},  which  is  a  contradiction  of  basic  set  theory. 

Thus,  in  all  cases  we  have  a  contradiction  and  Formula  10  is  proved. 

To  prove  Formula  11  we  again  proceed  by  contradiction.  We  assume  (Z 1  V 
Z2  V  E-Action)  and  INV  and  -dNV7.  Applying  some  definitions,  we  have  the 
following  assumptions. 
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(bl)  Zl  V 

Z2  V 

intercept  V 

impersonate  V 
Ml  V 

M2  V 

M3  V 

M4 


(b2)  Z.x  £  K 

(b3)  (Vui)[w  ^  E1. words  Vdj^K] 

(b4)  (VPi,  P2,  w)[(_P1;  P2,  w)  fi  V  w  K] 

(b5)  (Z.x’  G  K  A  Z.pc’  =  2)  V 

(3w)[w  G  E. words'  A  w  G  K]  V 

(3p1,p2,  w)[(p1;  p2,  ir)e/i'/ure  k] 

We  can  now  proceed  by  considering  a  large  number  of  cases.  In  particular,  there 
are  eight  cases  corresponding  to  the  eight  disjuncts  of  (bl)  and  each  of  those 
has  three  subcases  corresponding  to  the  three  disjuncts  of  (b5).  Hence,  there 
are  a  total  of  24  subcases.  Since  all  of  these  subcases  are  straightforward,  we 
give  only  a  few  as  a  sample  of  the  kind  of  reasoning  that  is  involved. 

Case  1:  Zl 

By  the  definition  of  Zl,  we  have  the  following. 

(cl.l)  Z.pc  =  1 

(cl. 2)  recei ve(Z,  Z.p,  Z.x) 

(cl.  3)  Z.pc '  =  2 

(cl. 4)  Unchanged (cr  —  {p,  Z.p,  Z.x,  Z.pc}) 

Subcase  1.1:  Z.x ’  G  K  A  Z.pc’  =  2 

By  (cl. 2),  the  definition  of  receive  (Formula  2),  and  existential  in¬ 
stantiation,  we  have  ( Pj,Z,m )  G  p  (where  Pj  is  a  constant)  and 
Z.x’  =  m.  By  the  Subcase  1.1  assumption,  we  have 

(Pj ,  Z,  m)  G  p  A  m  G  K 

and  instantiating  (b4)  with  Pi  =  Pj,  P2  =  Z,  and  w  =  m,  we  obtain 
a  contradiction. 

Subcase  1.2:  (3w)[w  G  E. words'  A  w  G  K] 
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By  existential  instantiation,  we  have  w 0  E  E. words/  and  w 0  E  K 
for  some  constant  w 0.  By  (cl. 4)  we  know  that  E. words/  =  if. words. 
Therefore,  we  have  that 

wO  E  if  .words  A  wO  E  K 

which,  by  appropriately  instantiating  (b3),  is  a  contradiction. 
Subcase  1.3:  (3-Pl,  P2,  w)[(.Pi,  P’z,  w)  E  //  Aw  E  K] 

By  existential  instantiation,  we  have  (Pi ,  P2,  wO)  E  //  and  w 0  E 
K  for  constants  Pi,  P2,  and  w 0.  Further,  by  (cl. 2),  the  dehnition 
of  receive  (Formula  2),  and  existential  instantiation,  we  have  fi'  = 
H  —  {(Pj,Z,m)}  (where  Pj  and  m  are  constants).  Thus,  we  have 
(Pi ,  P2,  wO)  E  A  —  {  (Pjj  m)  };  which,  by  basic  set  theory,  implies 

(Pi,  P2,  ^0)  E  A  A  wO  E  K 

which,  by  appropriately  instantiating  (b4),  is  a  contradiction. 

Cases  2—8:  These  cases  are  similar  in  complexity  to  Case  1. 


□ 

From  the  above  proof  we  see  that  given  a  usable  invariant  (INV)  proving  that  a 
penetrator  cannot  obtain  a  key  reduces  to  straightforward  logic.  We  make  two 
remarks. 

1.  We  do  not  need  fancy  epistemic,  nonmonotonic,  or  other  special  purpose 
logics.  Properties  of  cryptographic  protocols  can  be  proved  using  the 
standard  approach  used  for  other  properties  in  distributed  systems. 

2.  There  is  a  lot  of  room  for  automation.  The  proof  techniques  involved  are 
not  sophisticated  and  we  expect  that  standard  theorem  provers  can  be 
successfully  applied  to  cryptographic  protocols. 


4  Other  Protocol  Requirements 

As  mentioned  previously,  it  is  essential  that  we  are  able  to  prove  that  the  pen¬ 
etrator  cannot  obtain  particular  words.  However,  there  are  many  more  prop¬ 
erties  that  we  will  want  to  specify  and  prove.  For  example,  we  can  adapt  the 
requirements  described  by  Syverson  and  Meadows  [SM94]  to  our  model.  Our 
formalization  of  these  requirements  will  be  rather  different  from  theirs.  We  dis¬ 
cuss  the  differences  below.  Now  we  describe  one  of  their  requirements,  both 
informally  and  formally. 
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No  Key  Reuse  (informal  statement)  Once  a  key  has  been  ac¬ 
cepted  for  a  given  session  between  two  given  participants,  it  will 
never  be  accepted  again  for  a  different  session  or  with  different  par¬ 
ticipants. 

We  will  formalize  this  requirement  by  first  assuming  that  each  legitimate  par¬ 
ticipant  has  a  local  state  variable  called  accept.  We  think  of  this  variable  as 
a  four  dimensional  array  indexed  by  a  key,  a  session  ID,  an  initiating  princi¬ 
pal,  and  a  receiving  principal.  We  will  denote  particular  elements  of  accept  as 
accept(K,  M,  A,  B ). 

Each  legitimate  participant  of  the  protocol  will  manipulate  its  accept  array  as 
follows. 

•  Initially,  each  principal’s  entire  array  will  be  initialized  to  false. 

•  Whenever  a  principal  accepts  K  as  the  key  for  a  given  session,  M,  with  A  as 
the  initiator  and  B  as  the  receiver,  that  principal  will  set  accept(K,M,A,B) 
to  true.  (Note:  for  any  legitimate  participant  in  the  protocol,  P,  the  third 
index  of  P’s  accept  array  will  represent  the  initiator  and  the  fourth  index 
will  represent  the  receiver;  this  is  independent  of  whether  P  is  the  initiating 
or  receiving  principal.) 

•  Once  an  element  of  the  accept  array  has  been  set  to  true,  it  will  never  be 
reset  to  false. 

Thus,  for  a  given  principal,  P,  P’s  accept  array  is  meant  to  indicate  which  keys 
P  has  accepted  (at  any  time  in  the  past)  for  which  sessions  involving  which 
principals. 

We  remark  that  the  accept  array  is  not  meant  to  be  a  part  of  the  actual  protocol 
implementation.  It  is  better  thought  of  as  an  auxiliary  variable,  analogous  to, 
e.g.,  “history  variables”  used  in  standard  proofs  of  program  correctness  (e.g., 
see  [AL91]).  Its  primary  purpose  is  to  make  the  specification  and  proof  of  our 
requirements  easier.  In  an  actual  implementation,  it  would  be  omitted  or,  at 
the  very  least,  its  implementation  would  be  improved  to  save  on  storage  space. 

Given  the  above  usage  of  the  accept  array,  we  can  formalize  the  above  require¬ 
ment  as  follows. 

a((P1. accept (K,  M1,A1,B1)  A  P2.  accept  {K,  M2,A2,  B2))  ,  . 

=^(M1=M2AA1=A2AB1  =  B2))  (  f 

(where  Pi,  P2,  K,  M\,  M2,  A\,  A 2,  B\,  and  B2  are  all  universally  quantified 
variables.) 

Note  that  this  is  a  standard  safety  property.  In  particular,  Equation  12  is  a 
straightforward  state  invariant  and  we  believe  we  can  again  use  the  standard 
approach  to  verify  it. 
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Now  we  discuss  the  difference  between  our  formalization  and  Syverson  and 
Meadows’.  They  formalized  the  “No  Key  Reuse”  requirement  as  follows. 

accept_init(aser(j4,  honest),  user(B,  honest),  K,  Ml) 

-i(0  accept_init(Mser(C,  honest),  user(D,  X),  K,  M2))  A 
(O  accept_rec(aser(C,  honest),  user(D,  X),  K,  M3)  — >■  (C  =  B  A  D  =  A)) 

(where  O  means  “at  some  time  in  the  past”  and  all  variables  are  universally 
quantified). 

One  difference  between  our  formalization  and  the  above  is  that  Syverson  and 
Meadows  use  actions  to  indicate  that  a  particular  participant  has  accepted  a 
key,  whereas  we  have  used  state  variables.  For  example,  accept_in.it  is  an 
action  indicating  that  a  given  participant,  acting  in  the  initiating  role,  accepts 
a  given  key  for  a  given  session.  We  do  not  believe  that  this  difference  is  partic¬ 
ularly  significant  in  itself;  the  two  approaches  to  identifying  this  event  may  be 
interchangable. 

A  more  significant  difference  is  that  in  Syverson  and  Meadows’  language,  there 
is  an  implicit  quantification  over  all  time.  That  is,  we  can  think  of  the  above 
formula  as  having  the  “always”  operator  (□)  out  front.  Thus,  we  see  that 
their  formalization  makes  use  of  nested  temporal  operators.  In  their  approach, 
proving  such  a  formula  involves  checking  numerous  paths  through  the  set  of 
possible  executions. 

Essentially,  Syverson  and  Meadows  are  making  use  of  simple  temporal  reasoning. 
We  therefore  believe  that  we  will  be  able  to  complete  an  analogous  proof  using 
temporal  logic  (although  we  haven’t  tried  it  yet).  However,  we  also  believe  we 
will  be  able  to  complete  a  simpler  proof  by  using  our  invariant.  In  particular, 
our  invariant  is  free  of  temporal  quantifiers  and  so  we  should  be  able  to  complete 
the  proof  by  simply  reasoning  about  state  pairs;  no  temporal  reasoning  will  be 
required.  Of  course,  it  remains  to  be  seen  whether  this  will  work  out  as  we 
expect. 


5  Further  Comparison  to  Meadows’  Method 

In  Meadows’  method,  things  are  rather  disjoint. 

1.  The  model  of  the  penetrator  is  partly  specified  as  a  few  prolog  rules  (i.e. , 
the  set  of  Noetherian  and  locally  confluent  rewrite  rules)  and  partly  inte¬ 
grated  into  the  tool  (i.e.,  manifesting  itself  in  the  form  of  the  language  for 
specifying  the  protocol). 

2.  Context-free  grammers  are  used  to  specify  sets  of  words  that  are  unob¬ 
tainable  by  the  penetrator. 
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3.  Requirements  are  specified  in  temporal  logic  and  then  translated  by  hand 
into  prolog  goals  [SM93][SM94]. 

4.  The  protocol  is  specified  as  a  set  of  prolog  rules. 

5.  Due  to  the  variety  of  languages  used  to  describe  various  aspects  of  theo¬ 
rems,  the  proofs  in  Meadows’  method  are  necessarily  carried  out  using  a 
mixture  of  formal  and  informal  techniques. 

In  contrast,  in  our  method,  all  of  the  above  are  carried  out  using  temporal  logic. 
The  protocol,  the  correctness  requirements  of  the  protocol,  the  capabilities  of 
the  penetrator,  and  all  ancillary  definitions  such  as  as  sets  of  unobtainable  words 
are  specified  as  formulas  in  temporal  logic.  Further,  all  proofs  are  carried  out 
in  temporal  logic. 


6  Discussion 

We  have  shown  that  standard  linear-time  temporal  logic  can  be  used  to  specify 
cyrptographic  ptotocols,  model  a  system  penetrator,  and  specify  correctness 
requirements.  Although  we  have  yet  to  apply  our  technique  to  a  wide  variety 
of  protocol  properties,  we  believe  it  is  clear  that  the  modeling  environment 
presented  in  this  paper  is  sufficient  to  reason  about  standard  protocol  properties. 
By  not  being  specific  to  cryptographic  protocols  per  se,  it  also  affords  a  wide 
degree  of  flexibility  not  available  in  other  techniques.  For  example,  although 
we  have  given  a  penetrator  only  the  ability  to  intercept  a  message,  manipulate 
his  current  word  set,  and  impersonate  a  protocol  participant,  we  could  easily 
add  further  abilities  (e.g.,  to  compromise  a  key).  Other  advantages  we  expect 
to  achieve  with  our  method  include  the  following. 

1.  Our  approach  is  more  general  than  Meadows’  work.  As  discussed  in  Sec¬ 
tion  2.5,  we  are  not  limited  by  the  particular  algebraic  properties  of  the 
underlying  encryption  algorithm. 

2.  Our  approach  will  be  easily  integrated  into  other  formal  methods.  Since  we 
use  standard  concepts  from  temporal  logic,  it  should  be  straightforward 
to  integrate  proofs  of  other  properties  (e.g.,  fault  tolerance  properties) 
with  our  proofs.  We  even  expect  to  be  able  to  use  the  same  protocol 
specification  and  prove  that  it  satisfies  security  requirements  as  well  as 
other  properties.  Further,  it  should  be  possible  to  make  use  of  general 
purpose  theorem  provers  to  carry  out  the  verification. 

3.  Our  method  will  provide  greater  assurance  in  the  correctness  of  the  pro¬ 
tocol  than  Meadows’  method.  This  is  because  the  result  of  applying  our 
method  will  be  a  clear-cut  theorem  and  proof.  The  theorem  will  state  that 
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a  particular  protocol,  executing  in  parallel  with  a  particular  penetrator, 
satisfies  a  particular  goal,  where  all  definitions  and  assumptions  are  stated 
as  formulas  in  a  single  logic.  Further,  the  proof  will  be  carried  out  in  that 
same  logic. 
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